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DETAILED ACTION 

1 . This action is responsive to the communication filed on October 1 , 2003. 
Claims 1-23 are pending. At this time, claims 1-23 are rejected. 

Claim Rejections - 35 USC § 101 

2. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition 
of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

3. Claim 23 is rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

Claim 23 recites "a computer program product for protecting a computer 
environment, the computer program product being embodied in a computer readable 
medium and comprising computer instruction for: providing an index; comparing a first 
event with the index; determining whether the first event is unusual; and determining 
whether a security incident associated with the first event has occurred." The claim is 
clearly a software program and it is non-statutory as not being tangibly embodied in a 
manner so as to be executable. Furthermore, applicant has pointed out in the 
specification (first paragraph of page 3) that a computer readable medium such as a 
computer readable storage medium or a computer network wherein program 
instructions are sent over optical or electronic communication links, which clearly 
including intangible media such as signals, carrier waves, transmissions, optical waves, 
transmission media or other media incapable of being touched or perceived absent the 
tangible medium through which they are conveyed. Therefore, claim 23 recites a non- 
statutory subject matter. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in this Office 
action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
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granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

5. Claims 1-3, 9-16, 19-20, and 22-23 are rejected under 35 U.S.C. 102(e) 
as being anticipated by Sameshima et al (US 6,038,564). 

a. Referring to claim 1: 

i. Sameshima teaches a method for protecting a computer 
environment, comprising: 

(1) providing an index (see Figure 3A, elements SIS- 
SIS and further details in column 5, lines 58-60 and column 6, lines 9-12 of 
Sameshima); 

(2) comparing a first event with the index (see Figure 3A, 
element 312 and further details in column 5, line 61 through column 6, line 20; 
column 6, lines 46-55 of Sameshima); 

(3) determining whether the first event is unusual 
(column 2, lines 52-55; see also Figures 9 and 10 and more details in column 13, 
lines 21-26 of Sameshima); and 

(4) determining whether a security incident associated 
with the first event has occurred (column 5, line 63 through column 6, line 1;and 
column 6, lines 52-55 of Sameshima). 

b. Referring to claim 2: 

i. Sameshima further teaches: 

(1) wherein the first event indicates that a file has been 
modified (column 2, lines 39-51 of Sameshima). 

c. Referring to claim 3: 

i. Sameshima further teaches: 

(1) wherein determining whether the first event is unusual 
includes looking up an identifier of a file in the index (column 2, lines 52-55; see also 
Figures 9 and 10 and more details in column 13, lines 21-26 of Sameshima); and 
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wherein the file is associated with the first event (column 5, line 63 through column 6, 
line 1;and column 6, lines 52-55 of Sameshima). 

d. Referring to claim 9-10: 

i. These claims have limitations that is similar to those of claim 
3, thus they are rejected with the same rationale applied against claim 3 above. 

e. Referring to claim 11: 

i. Sameshima further teaches: 

(1) wherein determining whether the security incident 
associated with the first event has occurred includes correlating a second event with the 
first event; and the second event is a monitored event (see Figure 8C and further 
details in column 12, lines 9-36 of Sameshima). 

f. Referring to claim 12: 

i. Sameshima further teaches: 

(1) wherein determining whether a security incident 
associated with the first event has occurred includes applying a rule (column 5, lines 
41 -51 of Sameshima). 

g. Referring to claim 13: 

i. Sameshima further teaches: 

(1) further comprising determining a priority of the 
security incident if it is determined that a security incident associated with the first event 
has occurred (column 5, line 63 through column 6, line 1;and column 6, lines 52-55 
of Sameshima). 

h. Referring to claim 14: 

i. Sameshima further teaches: 

(1) further comprising determining a degree of 
unusualness for the first event (column 2, lines 52-55; see also Figures 9 and 10 and 
more details in column 13, lines 21-26 of Sameshima). 

i. Referring to claim 15: 

i. Sameshima further teaches: 
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(1) further comprising determining a degree of 
unusualness for the first event (column 2, lines 52-55; see also Figures 9 and 10 and 
more details in column 13, lines 21-26 of Sameshima) and determining a priority of 
the security incident based on the degree of unusualness (column 5, line 63 through 
column 6, line 1;and column 6, lines 52-55 of Sameshima). 
j. Referring to claim 16: 

i. Sameshima further teaches: 

(1) wherein the index includes an archive index (see 
Figure 3A, elements 313-315 and further details in column 5, lines 58-60 and 
column 6, lines 9-12 of Sameshima). 

k. Referring to claim 19: 

i. Sameshima further teaches: 

(1) wherein the index includes an archive index stored in 
a database(column 4, lines 55-58 of Sameshima). 
I. Referring to claim 20: 

i. Sameshima further teaches: 

(1) wherein the index includes an archive index stored in 
an extensible markup language (XML) file (column 4, line 66 through column 5, line 2 
of Sameshima). 

m. Referring to claim 22: 

i. This claim consist a system for protecting a computer 
environment to implement claim 1, thus it is rejected with the same rationale applied 
against claim 1 above. 

ii. wherein Sameshima further teaches: 

(1) a memory coupled with the processor, wherein the 
memory is configured to provide the processor with instructions (column 4, lines 37-51 
of Sameshima). 

n. Referring to claim 23: 
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i. This claim consist a computer program product for for 
protecting a computer environment to implement claim 1, thus it is rejected with the 
same rationale applied against claim 1 above. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 

all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 4-8, 17-18, and 21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Sameshima et al (US 6,038,564), and further in view of Kidder (US 
6880086 B2). 

a. Referring to claim 4: 

i. Sameshima teaches the event identifier as shown in Figure 
3B and further details in column 7, lines 15-21, however Sameshima is silent on the 
capability of showing the identifier includes a signature. On the other hand, Kidder 
teaches: 

(1) wherein the identifier includes a signature (column 3, 

lines. 33-36 of Kidder). 

iii. It would have been obvious to a person having ordinary skill 

in the art at the time the invention was made to: 

(1) have modified the invention of Sameshima with the 
teaching of Kidder for provide a quick, easy way to accurately determine the upgrade 
status of each software component (column 3, lines 47-48 of Kidder). 

iv. The ordinary skilled person would have been motivated to: 
(1) have modified the invention of Sameshima with the 

teaching of Kidder, since signatures are automatically generated for each software 
component as part of putting together a new release a quick comparison of two 
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signatures provides an accurate assurance that either the software component has 
changed or has not (column 3, lines 42-47 of Kidder). 

b. Referring to claim 5: 

i. The combination of teaching between Sameshima and 
Kidder teaches the method for protecting a computer environment. Kidder further 
teaches: 

(1) wherein the identifier includes a signature generated 
by a hash function (column 89, lines 15-19 and lines 24-28 of Kidder). 

c. Referring to claim 6: 

i. The combination of teaching between Sameshima and 
Kidder teaches the method for protecting a computer environment. Kidder further 
teaches: 

(1) the identifier includes a signature generated by a 
checksum function (column 88, lines 65-67 of Kidder). 

d. Referring to claim 7: 

i. The combination of teaching between Sameshima and 
Kidder teaches the method for protecting a computer environment. Sameshima and 
Kidder further teaches: 

(1) wherein the first event indicates that a file has been 
modified (column 2, lines 39-51 of Sameshima), and determining whether the file 
modification is unusual includes comparing a number of occurrences of the file in the 
index (column 2, lines 52-55; see also Figures 9 and 10 and more details in 
column 13, lines 21-26 of Sameshima) with a threshold (column 171, lines 40-52 of 
Kidder). 

d. Referring to claim 8: 

i. The combination of teaching between Sameshima and 
Kidder teaches the method for protecting a computer environment. Sameshima and 
Kidder further teaches: 

(1) wherein the first event indicates that a file has been 
modified (column 2, lines 39-51 of Sameshima), and determining whether the 
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security incident associated with the first event (column 5, line 63 through column 6, 
line 1;and column 6, lines 52-55 of Sameshima) has occurred includes comparing 
a number of occurrences of the file in the index (column 2, lines 52-55; see also 
Figures 9 and 10 and more details in column 13, lines 21-26 of Sameshima) with a 
threshold. 

e. Referring to claim 17: 

i. This claim has limitations that is similar to those of claim 4, 
thus it is rejected with the same rationale applied against claim 4 above. 

f. Referring to claim 18: 

i. The combination of teaching between Sameshima and 
Kidder teaches the method for protecting a computer environment. Sameshima and 
Kidder further teaches: 

(1) wherein the index includes an archive index (see 
Figure 3A, elements 313-315 and further details in column 5, lines 58-60 and 
column 6, lines 9-12 of Sameshima) that includes file revision information (column 
86, lines 1-8 of Kidder). 

g. Referring to claim 21: 

i. The combination of teaching between Sameshima and 
Kidder teaches the method for protecting a computer environment. Kidder further 
teaches: 

(1) wherein the index is cached (column 160, lines 9-10 

of Kidder). 

Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

a. Costa et al (US 6,138,121) discloses network management event 
storage and manipulation using relational database technology in a data warehouse 
(see title). 
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Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Thanhnga (Tanya) Truong 
whose telephone number is 571-272-3858. 

If attempts to reach the examiner by telephone are unsuccessful, 
the examiner's supervisor, Kim Vu can be reached at 571-272-3859. The fax and 
phone numbers for the organization where this application or proceeding is assigned is 
571-273-8300. 

Any inquiry of a general nature or relating to the status of this 
application or proceeding should be directed to the receptionist whose telephone 
number is 571-272-2100. 
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February 15, 2003 
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